The page may not load correctly.
July 26, 2022
Over the month, Doctor Web’s malware analysts discovered dozens of malicious apps on Google Play. Among them were adware trojans, fake apps used by scammers, info-stealers targeting confidential data, and others.
Program modules incorporated into Android applications. These are designed to display obnoxious ads on Android devices. Depending on their family and modifications, they can display full-screen ads and block other apps’ windows, show various notifications, create shortcuts, and load websites.
In June, Doctor Web’s virus laboratory uncovered almost 30 adware trojans from the Android.HiddenAds family, with more than 9,890,000 downloads combined. These included both new members of the family (like Android.HiddenAds.3168, Android.HiddenAds.3169, Android.HiddenAds.3171, Android.HiddenAds.3172, and Android.HiddenAds.3207), and new modifications of the already known Android.HiddenAds.3158 malware, which was covered in our May review.
All of them were built into various programs, including image-editing software, virtual keyboards, system tools and utilities, calling apps, wallpaper collection apps, and others.
Below is a list of the names of the apps containing these trojans:
To display ads, some of them request permission to show windows over other apps; the rest ask users to add them to the exclusion list of the battery-saving feature. In addition, to make it more difficult for users to detect malicious apps in the future, the trojans hide their icons from the list of installed apps in the home screen menu—or, they replace the icons with less noticeable ones. Take, for example, the icon named “SIM Toolkit”, which when selected, launches an eponymous system app for working with SIM cards—instead of the original app.
Below are examples of how these trojans try to gain access to needed functions:
An example of how one of the trojans replaces its icon:
Moreover, our specialists discovered yet other trojans from the Android.Joker family which are capable of downloading and executing arbitrary code and subscribing victims to paid mobile services without their knowledge. One of them was hidden in third-party launcher “Poco Launcher”, while another was in the “4K Pro Camera” app. A third was in the ‘Heart Emoji Stickers” stickers collection app. They were added to the Dr.Web virus database as Android.Joker.1435, Android.Joker.1461, and Android.Joker.1466, respectively.
New malware from the Android.PWS.Facebook family were also among the threats we discovered. Dubbed Android.PWS.Facebook.149 and Android.PWS.Facebook.151, they are designed to steal data that can be used to hack Facebook accounts. The trojans were distributed as image editing software under the names “YouToon - AI Cartoon Effect” and “Pista - Cartoon Photo Effect”.
Upon launching, they asked potential victims to log in to their accounts and then loaded a genuine Facebook authorization page. Next, they hijacked the authentication data and sent it to malicious actors.
Doctor Web’s specialists also discovered an Android.Click.401.origin trojan. It was hiding in two apps: “Water Reminder- Tracker & Reminder”, which helped users drink more water and stay hydrated, and “Yoga- For Beginner to Advanced”, a yoga curriculum app. Both were fully functional software, so users had no reasons to suspect that they were malicious.
This trojan decrypts and launches the main malicious component (detected by Dr.Web as Android.Click.402.origin) hidden inside its file resources, which covertly loads various websites in WebView. Next, this component simulates user actions, automatically clicking on interactive elements located on these sites—for example, banners and advertisement links.
Another uncovered threat was a fake app for online communication called “Chat Online”. Several modifications of this malware were added to the Dr.Web virus database as Android.FakeApp.963 and Android.FakeApp.964.
This trojan does not provide any of its declared functionality. It only loads different websites, including fraudulent ones. On some of them, the process of registering for online dating services is simulated. And this is when potential victims are asked to provide their mobile phone number, email, and other personal data. This information could subsequently end up on the black market and be used by scammers.
On other websites, a dialog with a real person is imitated, and the user is then asked to pay for full premium access to continue “chatting”. Any user agreeing to this can end up not only having their account debited for a one-time set amount or being subscribed to a paid service they don’t need, but also losing all their money—if cybercriminals get hold of their bank card details.
Doctor Web informed Google about the discovered threats. At the time of this review’s release, some of the malicious apps were still available for download.
To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android.